@cumulus/deployment
Version:
Deployment templates for cumulus
902 lines (839 loc) • 30.2 kB
YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: 'stack: {{stackName}} | deployed by Kes'
Parameters:
CreateDeploymentRole:
Type: String
AllowedValues:
- true
- false
Default: true
DeploymentUserName:
Type: String
Default: "n/a"
DeploymentStackTemplateUrl:
Type: String
Default: "n/a"
ResourcePrefix:
Type: String
Default: "template-cumulus"
AlphaNumPrefix:
Type: String
Default: "TemplateCumulus"
Resources:
LambdaApiGatewayRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-lambda-api-gateway"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: LambdaApiGateway
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ecs:RunTask
Resource:
Fn::Sub: "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${ResourcePrefix}-AsyncOperationTaskDefinition-*"
- Effect: Allow
Action:
- logs:DescribeLogStreams
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- lambda:GetFunction
- lambda:invokeFunction
- lambda:CreateEventSourceMapping
- lambda:UpdateEventSourceMapping
- lambda:DeleteEventSourceMapping
- lambda:GetEventSourceMapping
- lambda:ListEventSourceMappings
- lambda:AddPermission
- lambda:RemovePermission
Resource: "*"
- Effect: Allow
Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:Scan
- dynamodb:UpdateItem
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
- Effect: Allow
Action:
- dynamodb:ListTables
Resource: '*'
- Effect: Allow
Action:
- s3:GetAccelerateConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucket*
- s3:PutAccelerateConfiguration
- s3:PutLifecycleConfiguration
- s3:PutReplicationConfiguration
- s3:PutBucket*
- s3:ListBucket*
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}
{{/each}}
- Effect: Allow
Action:
- s3:GetObject*
- s3:PutObject*
- s3:ListMultipartUploadParts
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}/*
{{/each}}
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource: '*'
- Effect: Allow
Action:
- sns:publish
- sns:Subscribe
- sns:Unsubscribe
- sns:List*
Resource: '*'
- Effect: Allow
Action:
- sqs:GetQueueUrl
- sqs:GetQueueAttributes
- sqs:SendMessage
Resource:
Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
- Effect: Allow
Action:
- cloudwatch:List*
- cloudwatch:Get*
- cloudwatch:Describe*
Resource: '*'
- Effect: Allow
Action:
- apigateway:GET
Resource:
Fn::Sub: "arn:aws:apigateway:${AWS::Region}::/restapis/*/stages"
# allow adding/editing/deleting of rules associated with this deployment
- Effect: Allow
Action:
- events:DisableRule
- events:DeleteRule
- events:EnableRule
- events:ListRules
- events:PutRule
- events:DescribeRule
- events:PutTargets
- events:RemoveTargets
Resource:
Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ResourcePrefix}-*"
# Allow state machine interactions
- Effect: Allow
Action:
- states:DescribeExecution
- states:DescribeStateMachine
- states:GetExecutionHistory
Resource: arn:aws:states:*:*:*
# this is needed for running Lambda in a VPC
# This might not be needed in the NGAP environment
# if all lambdas are already running in a general VPC
# environment
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Resource: '*'
# role for Lambdas that are NOT used with APIGateway
LambdaProcessingRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-lambda-processing"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: ProcessingLambda
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:invokeFunction
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Resource: "*"
# Allow access to kinesis
- Effect: Allow
Action:
- kinesis:GetRecords
- kinesis:GetShardIterator
- kinesis:DescribeStream
- kinesis:ListStreams
- kinesis:PutRecord
Resource: '*'
# Allow writing to ingest buckets
- Effect: Allow
Action:
- s3:GetAccelerateConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucket*
- s3:PutAccelerateConfiguration
- s3:PutLifecycleConfiguration
- s3:PutReplicationConfiguration
- s3:PutBucket*
- s3:ListBucket*
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}
{{/each}}
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetObject*
- s3:PutObject*
- s3:ListMultipartUploadParts
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}/*
{{/each}}
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource: '*'
# Used for testing bucket policies
- Effect: Allow
Action:
- s3:PutBucketPolicy
Resource:
- Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
# Allow access to dynamoDB
- Effect: Allow
Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:Scan
- dynamodb:UpdateItem
- dynamodb:BatchWriteItem
- dynamodb:UpdateContinuousBackups
- dynamodb:DescribeContinuousBackups
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
- Effect: Allow
Action:
- dynamodb:ListTables
Resource: '*'
# Allow access to SQS
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:ReceiveMessage
- sqs:ChangeMessageVisibility
- sqs:DeleteMessage
- sqs:GetQueueUrl
- sqs:GetQueueAttributes
Resource:
Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
# Allow state machine interactions
- Effect: Allow
Action:
- states:SendTaskFailure
- states:SendTaskSuccess
- states:GetActivityTask
- states:GetExecutionHistory
- states:DescribeActivity
- states:DescribeExecution
- states:StartExecution
- states:StopExecution
- states:ListStateMachines
Resource: arn:aws:states:*:*:*
# allow adding/editing/deleting of rules associated with this deployment
- Effect: Allow
Action:
- events:DisableRule
- events:EnableRule
- events:ListRules
- events:PutRule
- events:DeleteRule
- events:DescribeRule
Resource: '*'
# this is needed for running Lambda in a VPC
# This might not be needed in the NGAP environment
# if all lambdas are already running in a general VPC
# environment
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Resource: '*'
# allow publishing to SNS
- Effect: Allow
Action:
- sns:publish
- sns:List*
Resource: '*'
# Needed for AWS integration tests
- Effect: Allow
Action:
- cloudformation:DescribeStacks
Resource: '*'
# Role with additional permissions for migrations
MigrationProcessingRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-migration-processing"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: MigrationProcessingLambda
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:invokeFunction
- lambda:CreateEventSourceMapping
- lambda:ListEventSourceMappings
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Resource: "*"
# Allow access to kinesis
- Effect: Allow
Action:
- kinesis:GetRecords
- kinesis:GetShardIterator
- kinesis:DescribeStream
- kinesis:ListStreams
- kinesis:PutRecord
Resource: '*'
# Allow writing to ingest buckets
- Effect: Allow
Action:
- s3:GetAccelerateConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucket*
- s3:PutAccelerateConfiguration
- s3:PutLifecycleConfiguration
- s3:PutReplicationConfiguration
- s3:PutBucket*
- s3:ListBucket*
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}
{{/each}}
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetObject*
- s3:PutObject*
- s3:ListMultipartUploadParts
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}/*
{{/each}}
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource: '*'
# Used for testing bucket policies
- Effect: Allow
Action:
- s3:PutBucketPolicy
Resource:
- Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
# Allow access to dynamoDB
- Effect: Allow
Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:Scan
- dynamodb:UpdateItem
- dynamodb:BatchWriteItem
- dynamodb:UpdateContinuousBackups
- dynamodb:DescribeContinuousBackups
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
- Effect: Allow
Action:
- dynamodb:ListTables
Resource: '*'
# Allow access to SQS
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:ReceiveMessage
- sqs:ChangeMessageVisibility
- sqs:DeleteMessage
- sqs:GetQueueUrl
- sqs:GetQueueAttributes
Resource:
Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
# Allow state machine interactions
- Effect: Allow
Action:
- states:SendTaskFailure
- states:SendTaskSuccess
- states:GetActivityTask
- states:GetExecutionHistory
- states:DescribeActivity
- states:DescribeExecution
- states:StartExecution
- states:StopExecution
- states:ListStateMachines
Resource: arn:aws:states:*:*:*
# allow adding/editing/deleting of rules associated with this deployment
- Effect: Allow
Action:
- events:DisableRule
- events:EnableRule
- events:ListRules
- events:PutRule
- events:DeleteRule
- events:DescribeRule
Resource: '*'
# this is needed for running Lambda in a VPC
# This might not be needed in the NGAP environment
# if all lambdas are already running in a general VPC
# environment
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Resource: '*'
# allow publishing to SNS
- Effect: Allow
Action:
- sns:publish
- sns:List*
Resource: '*'
# Needed for AWS integration tests
- Effect: Allow
Action:
- cloudformation:DescribeStacks
Resource: '*'
StepRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-steprole"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- Fn::Sub: states.${AWS::Region}.amazonaws.com
Action: sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: StepRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: '*'
- Effect: Allow
Action:
- ecr:*
- cloudtrail:LookupEvents
Resource: '*'
- Effect: Allow
Action:
- ecs:RunTask
Resource: '*'
- Effect: Allow
Action:
- ecs:StopTask
- ecs:DescribeTasks
Resource: "*"
- Effect: Allow
Action:
- events:PutTargets
- events:PutRule
- events:DescribeRule
Resource:
Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForECSTaskRule"
- Effect: Allow
Action:
- autoscaling:Describe*
- cloudwatch:*
- logs:*
- sns:*
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRole
Resource: "*"
ECSRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-ecs"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: ECSRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: dynamodb:UpdateItem
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AsyncOperationsTable"
- Effect: Allow
Action:
- autoscaling:CompleteLifecycleAction
- autoscaling:DescribeAutoScalingInstances
- autoscaling:DescribeLifecycleHooks
- autoscaling:RecordLifecycleActionHeartbeat
- cloudwatch:GetMetricStatistics
- ec2:DescribeInstances
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- ecs:DeregisterContainerInstance
- ecs:DescribeClusters
- ecs:DescribeContainerInstances
- ecs:DescribeServices
- ecs:DiscoverPollEndpoint
- ecs:ListContainerInstances
- ecs:ListServices
- ecs:ListTaskDefinitions
- ecs:ListTasks
- ecs:Poll
- ecs:RegisterContainerInstance
- ecs:RunTask
- ecs:StartTelemetrySession
- ecs:Submit*
- ecs:UpdateContainerInstancesState
- lambda:GetFunction
- lambda:invokeFunction
- lambda:GetLayerVersion
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
- ssm:GetParameter
Resource: "*"
# Allow state machine interactions
- Effect: Allow
Action:
- states:SendTaskFailure
- states:SendTaskSuccess
- states:GetActivityTask
- states:DescribeActivity
- states:GetExecutionHistory
Resource: arn:aws:states:*:*:*
# Allow writing to ingest buckets
- Effect: Allow
Action:
- s3:GetAccelerateConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucket*
- s3:PutAccelerateConfiguration
- s3:PutLifecycleConfiguration
- s3:PutReplicationConfiguration
- s3:PutBucket*
- s3:ListBucket*
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}
{{/each}}
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetObject*
- s3:PutObject*
- s3:ListMultipartUploadParts
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource:
{{#each buckets}}
- arn:aws:s3:::{{this.name}}/*
{{/each}}
- Effect: Allow
Action:
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:UpdateItem
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource: '*'
- Effect: Allow
Action:
- es:ESHttpDelete
- es:ESHttpGet
- es:ESHttpHead
- es:ESHttpPost
- es:ESHttpPut
Resource:
Fn::Sub: "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ResourcePrefix}-*"
DistributionApiRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-distribution-api-lambda"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: "/"
Policies:
- PolicyName: DistributionApiGateway
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
Resource:
Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AccessTokensTable"
- Effect: Allow
Action:
- logs:DescribeLogStreams
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- lambda:GetFunction
- lambda:invokeFunction
- lambda:CreateEventSourceMapping
- lambda:UpdateEventSourceMapping
- lambda:DeleteEventSourceMapping
- lambda:GetEventSourceMapping
- lambda:ListEventSourceMappings
Resource: "*"
- Effect: Allow
Action:
- s3:GetAccelerateConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucket*
- s3:PutAccelerateConfiguration
- s3:PutLifecycleConfiguration
- s3:PutReplicationConfiguration
- s3:PutBucket*
- s3:ListBucket*
Resource:
{{#each buckets}}
{{#BucketIsType this "protected,public"}}
- arn:aws:s3:::{{this.name}}
{{/BucketIsType}}
{{/each}}
- Effect: Allow
Action:
- s3:GetObject*
- s3:PutObject*
- s3:ListMultipartUploadParts
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource:
{{#each buckets}}
{{#BucketIsType this "protected,public"}}
- arn:aws:s3:::{{this.name}}/*
{{/BucketIsType}}
{{/each}}
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource: '*'
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Resource: '*'
ScalingRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName:
Fn::Sub: "${ResourcePrefix}-scaling-role"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: application-autoscaling.amazonaws.com
Action: sts:AssumeRole
{{#if useNgapPermissionBoundary}}
PermissionsBoundary:
Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
{{/if}}
Path: '/'
Policies:
- PolicyName: ScalingPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "application-autoscaling:*"
- cloudwatch:DeleteAlarms
- cloudwatch:DescribeAlarms
- cloudwatch:GetMetricStatistics
- cloudwatch:PutMetricAlarm
- cloudwatch:SetAlarmState
- dynamodb:DescribeTable
- dynamodb:UpdateTable
- ecs:DescribeServices
- ecs:UpdateService
Resource: '*'
CumulusInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName:
Fn::Sub: "${ResourcePrefix}-ecs"
Path: "/"
Roles:
- Ref: ECSRole
Outputs:
CumulusInstanceProfileArn:
Value:
Fn::GetAtt:
- CumulusInstanceProfile
- Arn
EcsRoleArn:
Value:
Fn::GetAtt:
- ECSRole
- Arn
LambdaApiGatewayRoleArn:
Value:
Fn::GetAtt:
- LambdaApiGatewayRole
- Arn
LambdaProcessingRoleArn:
Value:
Fn::GetAtt:
- LambdaProcessingRole
- Arn
MigrationProcessingRoleArn:
Value:
Fn::GetAtt:
- MigrationProcessingRole
- Arn
DistributionRoleArn:
Value:
Fn::GetAtt:
- DistributionApiRole
- Arn
StepRoleArn:
Value:
Fn::GetAtt:
- StepRole
- Arn
ScalingRoleArn:
Value:
Fn::GetAtt:
- ScalingRole
- Arn